finsay
← All AI tools

Compliance posture comparison

Side-by-side view of all 22 tools' SOC 2, zero-retention, SSO, SCIM, HIPAA BAA, and data-residency posture. Use this to filter your AI stack by compliance requirements (HIPAA BAA needed? EU residency required? Only enterprise-tier features qualify?).

⚠ Editorial data — verify before relying

Compliance posture data is editorially curated from each vendor's trust page or security docs and was last verified on the dates shown per row. Posture changes faster than we re-verify — always confirm against the vendor's live trust page before making a compliance-critical decision. The Toolkit's editorial team is not a substitute for your firm's legal + compliance review.

"Verify with vendor" means the vendor does not publish that information publicly — request it directly before relying on the tool for client-data or firm-data work.

ToolStageSOC 2Zero retentionSSOSCIMHIPAA BAAData residency
Claude (Anthropic)Get startedSOC 2 Type IIEnterprise onlyEnterprise onlyEnterprise onlyEnterprise onlyUS only
ChatGPT (OpenAI)Get startedSOC 2 Type IIBusiness tier+Business tier+Enterprise onlyEnterprise onlyConfigurable
Copilot for M365 (Microsoft)Get startedSOC 2 Type IIAll paid tiersAll paid tiersAll paid tiersAvailableConfigurable
Gemini (Google)Get startedSOC 2 Type IIAll paid tiersAll paid tiersAll paid tiersAvailableUS + EU
PerplexityGet startedSOC 2 Type IIEnterprise onlyEnterprise onlyEnterprise onlyVerify with vendorUS + EU
JumpGet fasterSOC 2 Type IIAll paid tiersEnterprise onlyEnterprise onlyAvailableVerify with vendor
ZocksGet fasterSOC 2 Type IIAll paid tiersAll paid tiersAll paid tiersAvailableVerify with vendor
Pulse360Get fasterSOC 2 Type IIVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendor
FP AlphaGet fasterVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendor
CatchlightGet fasterVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendor
Otter.aiGet fasterSOC 2 Type IIEnterprise onlyEnterprise onlyVerify with vendorEnterprise onlyVerify with vendor
Loom (Atlassian)Get differentiatedSOC 2 Type IIEnterprise onlyEnterprise onlyEnterprise onlyNot offeredVerify with vendor
Canva (Magic Studio)Get differentiatedSOC 2 Type IIVerify with vendorEnterprise onlyEnterprise onlyNot offeredVerify with vendor
NotebookLMGet differentiatedSOC 2 Type IIAll paid tiersAll paid tiersAll paid tiersEnterprise onlyConfigurable
DescriptGet differentiatedVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendor
GammaGet differentiatedSOC 2 Type IIBusiness tier+Business tier+Verify with vendorNot offeredVerify with vendor
HeyGenGet differentiatedSOC 2 Type IIVerify with vendorEnterprise onlyEnterprise onlyNot offeredUS only
SynthesiaGet differentiatedSOC 2 Type IIVerify with vendorEnterprise onlyVerify with vendorNot offeredEU only
ElevenLabsGet differentiatedSOC 2 Type IIEnterprise onlyEnterprise onlyVerify with vendorEnterprise onlyConfigurable
ZapierGet systemicSOC 2 Type IIVerify with vendorEnterprise onlyEnterprise onlyNot offeredUS only
Reclaim.aiGet systemicVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendorVerify with vendor
n8nGet systemicSOC 2 Type IISelf-hosted onlyEnterprise onlyEnterprise onlySelf-hosted onlyConfigurable

Notes per tool

Nuance the matrix can't capture. Always read alongside the per-cheatsheet "Compliance gotchas" section for tier-specific configuration details.

Claude (Anthropic)· Last verified 2026-05-29
Also ISO 27001 + ISO 42001 certified. HIPAA on Claude Enterprise requires signed BAA + Zero Data Retention addendum + workspace configuration matching HIPAA-ready service requirements.
ChatGPT (OpenAI)· Last verified 2026-05-29
Also ISO 27001 + ISO 27701. Data residency available in US/EU/UK/JP/CA/KR/SG/AU/IN/UAE for eligible Enterprise + Edu + API customers. ChatGPT for Healthcare is the BAA-eligible workspace.
Copilot for M365 (Microsoft)· Last verified 2026-05-29
Inherits M365 stack: SOC 2 + ISO 27001 + ISO 42001 + FedRAMP High. Advanced Data Residency + Multi-Geo add-ons; EU Data Boundary for EU customers. Existing M365 BAA covers Copilot. Web-search queries are NOT covered by the BAA.
Gemini (Google)· Last verified 2026-05-29
SOC 1/2/3 + ISO 27001/27017/27018/27701/42001 + FedRAMP High. Workspace tiers inherit Google BAA when properly enabled; consumer Gemini sits OUTSIDE the BAA boundary. Prompts + outputs are ephemeral per Google.
Perplexity· Last verified 2026-05-29
SOC 2 Type II covering security, availability, processing integrity, confidentiality, privacy. 2025 HIPAA Gap Assessment completed but no public BAA. Sonar API has Zero Data Retention by default.
Jump· Last verified 2026-05-29
Zero-day data retention configurable per firm. No-recording / summary-only capture available. Audit trail per interaction. Client data never used for model training. FA-specific compliance settings.
Zocks· Last verified 2026-05-29
SOC 2 Type II since Nov 2023. No-recording stance built in. AES-256 on AWS S3. Smarsh + Global Relay archive integrations. User-controlled retention at object level (per-meeting deletion).
Pulse360· Last verified 2026-05-29
SOC 2 Type II. AWS infrastructure supports HIPAA/HITECH. CaptureGenius meeting recorder stores per SEC/FINRA compliance. Third-party providers do not retain beyond 24h or use for AI training. Verify SSO/SCIM/BAA terms directly with Pulse360 before adoption.
FP Alpha· Last verified 2026-05-29
FP Alpha does not publish detailed compliance documentation publicly. Request SOC 2 report + BAA terms + data-residency posture directly before uploading client tax returns, estate documents, or insurance dec pages.
Catchlight· Last verified 2026-05-29
Incubated in Fidelity Labs (compliance-aware lineage) but Catchlight does not publish detailed posture publicly. Request SOC 2 report + DPA + prospect-data handling terms directly. Especially relevant in strict-privacy states (CA, etc.) given inferred-financial-signal data.
Otter.ai· Last verified 2026-05-29
SOC 2 Type II since Jan 2022. HIPAA compliance achieved July 2025 — Enterprise plan only, BAA via account manager. Customer-defined retention; secure deletion on request. 2FA + AES-256 + TLS. CRM integrations Enterprise-only.
Loom (Atlassian)· Last verified 2026-05-29
SOC 2 Type II + GDPR + CCPA. Enterprise via Atlassian Guard Standard for SAML SSO + SCIM + advanced content privacy + custom data retention + 99.95% uptime SLA. Loom CANNOT sign BAAs — do NOT transmit or store PHI.
Canva (Magic Studio)· Last verified 2026-05-29
SOC 2 Type II + ISO 27001 + GDPR + CCPA. SAML 2.0 SSO with Okta/OneLogin/Google Workspace at Enterprise. SCIM provisioning + role-based access + audit logs at Enterprise. Canva does NOT sign BAAs for HIPAA-regulated uses.
NotebookLM· Last verified 2026-05-29
NotebookLM Enterprise HIPAA-certified since March 2025. SOC 2 + VPC-SC + ISO 27001 + Cloud Audit Logs. Data not used to train models. US/EU/Global multi-regions configurable. Workspace + Enterprise tiers inherit Google identity stack. Consumer NotebookLM (free/Plus/Pro/Ultra) sits OUTSIDE this boundary.
Descript· Last verified 2026-05-29
Descript does not publish detailed compliance documentation publicly. Enterprise tier exists with SSO + dedicated support + security review per Descript marketing, but specifics need direct vendor confirmation. Verify SOC 2 + retention + BAA terms before client-data work.
Gamma· Last verified 2026-05-29
SOC 2 Type II since Oct 2025. GDPR DPA. SSO at Business tier ($40/seat, 10-seat min). Training opt-out for business data. PHI explicitly prohibited per Gamma terms — NOT a HIPAA-compliant solution.
HeyGen· Last verified 2026-05-29
SOC 2 Type II + GDPR + CCPA + EU-US Data Privacy Framework + EU AI Act compliance. US-only data storage on AWS; DPF enables lawful EU-to-US transfer. NO published HIPAA, NO BAA available as of early 2026 — verify directly before any PHI-adjacent use.
Synthesia· Last verified 2026-05-29
SOC 2 Type II since 2022. ISO 27001 + ISO 42001 (first GenAI company to achieve 42001, Sept 2024). EU-only storage (Ireland primary, Frankfurt secondary backup). SAML SSO at Enterprise. 90-day deletion timeline on request.
ElevenLabs· Last verified 2026-05-29
SOC 2 Type II + ISO 27001 + PCI DSS Level 1. HIPAA via Enterprise BAA + mandatory Zero Retention Mode. US/EU/India data residency options. 2FA + end-to-end encryption.
Zapier· Last verified 2026-05-29
SOC 2 Type II + SOC 3. SAML SSO + SCIM at Enterprise (Okta/Azure AD/OneLogin). AES-256 encryption + multi-region redundancy. Zapier CANNOT sign BAAs — PHI handling is NOT supported. No EU-only data storage option.
Reclaim.ai· Last verified 2026-05-29
Reclaim does not publish detailed compliance documentation publicly. Request SOC 2 report + DPA + retention terms directly before granting full calendar read/write access — Reclaim sees all event titles + attendees + descriptions.
n8n· Last verified 2026-05-29
SOC 2 Type II. n8n Cloud is EU-hosted (Azure). Self-hosting enables your-choice region + SAML/OIDC SSO + SCIM + RBAC + VPC + IP allowlist + HIPAA (Cloud cannot sign BAA). AES-256 at rest + TLS in transit.

Color key

  • Green — Strong posture; available on most or all tiers.
  • Amber — Available but with conditions (specific tier, configuration, or geography).
  • Blue — Available via a non-standard path (e.g. self-hosting required).
  • Red — Not offered; the vendor explicitly does not support this requirement.
  • Grey — Vendor doesn't publish this publicly; verify directly before relying.
← Back to the Toolkit